Trending Threats

This section provides summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.

Malware Hijacks Microphones to Spy On Ukrainian Businesses, Scientists and Media (February 20, 2017)
Researchers have discovered that Ukraine has once again been targeted by a highly sophisticated malware campaign called “Operation BugDrop.” Threat actors have targeted approximately 70 Ukrainian entities and, as of this writing, have stolen over 600 gigabytes of data. The malware is distributed via spear phishing emails and is capable of turning on the microphone to capture audio as well as capturing screen shots, documents, and passwords. The stolen information and audio is then exfiltrated using Dropbox folders controlled by the attackers.Recommendation: Spear phishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack.Tags: Spear Phishing, BugDrop

MalSpam – Subject: Radar Photo Proof 57628324 (February 20, 2017)
A new malicious spam operation is attempting to trick victims into following a link that is claiming to be a “negligent driving” violation. If the link is followed a malware dropper is downloaded that then downloads and installs a trojan into the system. Researchers contend that this strain may be the Zeus trojan variant, Zeus Panda Banker.Recommendation: This email spam tactic has been used by malicious actors in the past, and police departments in the U.S. have had to inform the public that they will never email them concerning a traffic violation. It could also be useful for employees to get out of the habit of using email attachments in favor of a cloud file hosting service, as well as never following links from vendors attempting to use scare tactics.Tags: Malspam, Zeus trojan

TeamSpy Malware Spammers Turn TeamViewer into Spying Tool in Targeted Attacks (February 21, 2017)
The threat actor group called “TeamSpy” has been identified to be behind a new spam campaign, according to Heimdal Security researchers. TeamSpy was last reported to be active after it was discovered they were engaged in a 10 yearlong cyber espionage campaign from 2003 to 2013. TeamSpy is using social engineering to trick their targets into installing malware via malicious email attachments. Using DLL hijacking, the attacker adds a VPN and keylogger to the TeamViewer application; the malware will then send stolen data back to a C2.Recommendation: Always be on high alert while reading email, in particular when it has attachments or comes with an urgent label or poor grammar. Use anti-spam and anti-virus protection, and avoid opening email from untrusted or unverified senders.Tags: TeamSpy, Phishing

How to Bury a Major Breach Notification (February 21, 2017)
An unnamed software company that provides a popular, and also unnamed, piece of software to major U.S. companies, had their website and update server breached for two weeks in April, 2015, according to RSA researchers. Researcher Brian Krebs believes that the compromised software package was “EVlog,” provided by Altair Technologies Ltd. The company provides software designed to assist Windows system administrators better comprehend and parse Windows event logs. Companies that use the service may have automatically downloaded compromised update versions. Entities that downloaded compromised versions include: 24 banks and financial institutions, five defense contractors, approximately 24 Fortune 500 companies, approximately 45 higher educational institutions, over 36 IT product manufacturers or solutions providers, and over 10 western military organizations.Recommendation: Always practice defense in depth – deploy redundant, layered, and failsafe security controls at every level of your network in order to detect early, and prevent attackers before they get deep into your network.Tags: Vulnerability, EVlog

Rogue Chrome Extension Pushes Tech Support Scam (February 21, 2017)
A new malicious advertising (malvertising) campaign has been identified to be targeting Chrome web browser users. If a user is targeted with malvertising attempts, follows a link provided by the attacker and is directed to a malicious website, the website will detect whether or not the visitor is using Chrome. If Chrome is detected as the web browser via the user agent, a pop up will appear that requests an extension to be installed in order to leave the webpage; during this time the browser is stuck in a perpetual loop of full-screen modes. Once the extension is added, malicious JavaScript will reach out to a C2 and present the infected computer with technical support scams.Recommendation: While web browser extensions can be useful in day-to-day business activities it is possible, as this story describes, for malicious extensions to make their way into legitimate services (Google has since removed the malicious extension). Your company should only use browser extensions and add-ons provided by trusted sources.Tags: Malvertising

Keep Your Account Safe by Avoiding Dyzap Malware (February 22, 2017)
A new version of the Dyzap trojan virus has been identified in the wild with new features, according to Fortinet researchers. Dyzap targets over 100 applications, is capable of stealing information stored in multiple web browsers, databases, and registries, as well as using keylogger functions. The malware moves the stolen information into packets in binary format before it sends it to a C2.Recommendation: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (don’t rely on single security mechanisms – security measures should be layered, redundant, and failsafe).Tags: Dyzap trojan

Malware Uses Blinking Hard LEDs to Transmit Data to Nearby Cameras (February 23, 2017)
Researchers from Ben-Guiron University of the Negev in Israel, have created a custom malware that can gather data from a compromised machine via binary code represented by blinking LED lights. The researchers successfully tested their malware and were able to gather information from a machine by video recording the rapidly blinking LED lights (where the light turned on represents one, and off represents zero). The malware does not need administrator rights to execute, and was designed to steal data from air-gapped systems, albeit at a slow speed of 0.5KBs.Recommendation: While it has not been reported how this malware could be used to infect a computer or system, simple mitigations do exist. Concealing a LED light that is in range of a camera, and covering windows so outsiders cannot peer inside can prevent this style of attack because a special camera is needed to capture the displayed binary code.Tags: Malware

Linux Project Patches 11-Year-Old Security Flaw That Gives Attackers Root Access (February 23, 2017)
An intern at Google named Andrew Konovalov discovered a vulnerability in the Linux operating system, dubbed “CVE-2017-6074.” The vulnerability can be exploited with low-privilege access to gain root code execution rights. The double free vulnerability (occurs when an application frees the same memory address twice) affects all Linux versions beginning with version 2.6.14.Recommendation: Your company should ensure that software and operating systems are always kept up-to-date with the newest version. New vulnerabilities that could potentially cause harm to your company are reported by security researchers quite frequently, even in software and applications previously thought to be secure as this story shows.Tags: Vulnerability, Linux

Serious Bug Exposes Sensitive Data From Millions of Sites Sitting Behind CloudFlare (February 23, 2017)
There is a buffer overflow issue with edge servers belonging to CloudFlare, a content delivery network and web security provider, according to security researcher Tavis Ormandy. The vulnerability, dubbed “Cloudbleed,” occurs when edge servers were running past the end of a buffer and were returning memory. The returned memory contained sensitive data such as authentication tokens, encryption keys, HTTP cookies, HTTP POST bodies, and passwords; some of the leaked data has already been cached by search engines.Recommendation: Even though Cloudflare mitigated the issue in less than an hour after discovery, your company should consider any data that passed through CloudFlare services to be at risk of having been viewed. Your company and employees should have proper policies in place in regards to changing passwords on a frequent basis..Tags: Cloudbleed, CloudFlare

New Crypto-ransomware Hits macOS (February 24, 2017)
A new ransomware campaign is targeting MacOS users by masquerading itself in BitTorrent distribution websites as an application called “Patcher.” The malware is written entirely in the Swift programming language. The malicious torrent contains one zip file in which there are two fake applications, Adobe Premiere Pro and Office 2016 Patcher. If these applications are executed, the ransomware will generate a random 25-character string to use for encrypting files. A ransomware note will be displayed that requests 0.25 bitcoins ($300). This poorly written ransomware is not capable of decrypting any files if the ransom is paid.Recommendation: The best approach to the threat of ransomware is for all users to maintain secured backups of their data, keep their systems fully patched, and practice good security hygiene when browsing the internet. In the case of ransomware infection, the affected system must be wiped and reformatted, other systems on the network should be assessed for similar infection, and the original attack vector must be identified in order to educate the victim and other employees.Tags: Ransomware, MacOS

Results of the Rogue Access Point Experiment at RSA Conference 2017 (February 24, 2017)
Help Net Security researchers once again conducted their rogue Access Point (AP) experiment at this year’s RSA conference, with rather surprising results. By using a Pineapple Tetra and listening for Service Set Identifiers (SSIDs) from mobile devices, the researchers were able to capture 8,653 SSIDs and tricked 4,499 Wi-Fi clients to connect to their rogue AP.Recommendation: While this incident was just an experiment, it shows the genuine threat of devices connecting to potentially malicious Wi-Fi networks. Mobile devices should always be kept up-to-date with the latest patches, and Wi-Fi should always be turned off when in public locations.Tags: Rogue Access Point, Experiment

Hacker Group Defaces Hundreds of Websites After Hacking UK Hosting Firm (February 25, 2017)
A threat actor group calling themselves the “National Hacking Society” (NHA) has defaced approximately 605 websites after compromising the hosting company Mesh Digital (DomainMonster[.]com). NHA has three members known as Benajmin, GeneralEG and R3d HaXoR, according to researchers. The group has compromised over 1.5 million webpages and, in some instances, were able to install backdoors and compromise servers.Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.Tags: National Hacking Society, Defacements

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs.

EITest Tool Tip
The EITest gate or Traffic Direction System (TDS) is a service used by criminals to direct web traffic to Exploit Kits (EKs) to install malware on victim’s computers. In the past EITest has been observed directing traffic to Angler, Neutrino, and the Rig EK.Tags: EITest-gate, EITest

It’s time for this year’s Mobile World Congress in Barcelona, February 27 to March 2, and I’m excited to share what we have in store for the Internet of Things (IoT). At MWC 2017, Intel will show how 5G will transform and improve all aspects of our daily lives such as in smart cities, connected homes, virtual reality and autonomous driving. We are delivering new technologies, and working with leaders in the industry on platforms, to realize the full promise of 5G. (More in Aicha’s post here). Just yesterday, we also announced a new category of ready-to-deploy commercial LTE-based devices via the Intel LTE IOT Quick Deployment (Intel LIQD) Program. AT&T will be the first major carrier to work with Intel (more in Dipti’s post here).

One thing is clear: 5G is happening now and will mark an inflection point in our industry. It will connect billions of “things” that haven’t been connected before, bringing intelligence and data to cars, homes, buildings, factories, cities, infrastructure and more to transform the way we live.

From the road to 5G and automated driving to smart cities and connected homes, MWC 2017 will be chock-full of transformational technology. Read on for a sneak peek at some of the most innovative platforms our team has lined up for you to experience. We look forward to seeing you at the show!

Automated Driving

Visit our autonomous driving demo to explore how the Intel 5G automotive platform and Intel Go automotive solutions enable an automated vehicle, in this case a BMW 740i, to sense the world around it. As the car moves to the center of the smart, connected and autonomous world, vehicles are increasingly learning to sense, reason and act to adapt to the real world. This experience will show how autonomous cars can learn from data (vehicle to network communication) and the experience of millions of cars (vehicle to vehicle communication), ultimately resulting in zero accidents and safer roads, more enjoyable commutes and reduced congestion in the world’s most polluted cities.

From a data stream emitting from a shark fin antenna and a holographic car outline to object detection and a smart traffic light, this experience offers a glimpse at how automated vehicles are driving us toward the smart cities of the future. Swing by to experience the road ahead.

Smart City

IoT represents a tremendous opportunity to shape the future and improve every life on this planet, with technologies from 5G emerging networks to cloud computing enabling smart cities to flourish. We will showcase Intel IoT ecosystem solutions, including:

Bosch air quality monitoring, a mobile edge computing solution that will allow faster analytics at the edge allowing officials interpret changes in air quality and make immediate decisions.

GE Light Pole, a platform for network densification in the emerging 5G world

City Beacon, a platform for network densification, client connectivity, network backhaul, situational awareness with security cameras and air quality sensors

First responder assistance using drones and more.

Come by to see how city neighborhood can be equipped with a number of connected 5G IoT networks, devices sensors and smart devices interacting with each other and reacting to environmental changes through edge and cloud analytics.

Smart & Connected Home

The 5G transformation ahead is leading to a fundamental re-architecting of the home network, bringing valuable innovation to users to eliminate the burdens many people experience with implementing smart homes today. Smart homes go beyond home automation or connecting devices to the cloud. The value of the smart home comes from addressing real human needs by easing the tasks of running a home, offering experiences that enrich daily life, and providing assurance that creates peace of mind. To be truly smart, a home must seamlessly interconnect diverse devices, services, and things throughout the home to become more.

At MWC 2017, we’re demonstrating a wide array of capabilities that include wireless broadband to the home, greater in-home Wi-Fi coverage, increased security and easy home automation. Join us to learn more about how IoT is scaling to accommodate a growing number of connected devices, enabling amazing experiences in our homes, our communities, and beyond.

http://firedot.nl/wp-content/uploads/2017/08/logo-firedot-zologic-300x113.png00Fireboss7102http://firedot.nl/wp-content/uploads/2017/08/logo-firedot-zologic-300x113.pngFireboss71022017-02-23 13:50:002017-02-23 13:50:00End-Of-Life Software Alive And Well On US PCs

MHN Community Data Stats

Overview

There were almost 85 million distinct honeypot events. We saw peak attack volume on January 1st where 4.32 million events were reported. This fell to an 1.8 million on the January 6th (the 3rd lowest volume by day — only January 30th and 31st saw fewer events).

Honeypot Types

Digging slightly deeper, the p0f honeypots produce the most events.

The table above shows events received by each distinct p0f honeypot. You’ll notice one p0f honeypot accounts for almost 11 million events alone — over 30% of all p0f events (there were 35.2 million p0f events in total).

Honeypot Source IPs

The source IP seen most across our honeypot network in January 2017 was 144.217.68.19 (almost 322,000 distinct events across 50+ honeypots). However, looking at individual attack data, 309,000 of these were against a single honeypot.

There are a number of internal IPs (10.x) in the top 20 shown below which are probably the result of local honeypot testing (note: a single internal IP is likely reporting data from a high number of distinct sources).

Digging deeper on the top IP, 144.217.68.19, in the Threatstream platform the IP is listed as an IOC by 4 threat feeds reported as a phishing IP, brute force IP, and a scanning IP (unsurprising it is reported as a scanning IP given number of events).

Further reading

The MHN documentation is the perfect starting point if you’re interested in gaining access to the MHN Community data or want to learn more about how data sharing work.

Digital disruption is here to stay. Much like the electronic revolution that led to PCs, mobile phones and smart devices, energy grids are on the verge of a major change. Consider the network of power plants, utilities and power lines comprising energy grids, for a moment. What you effectively have is the largest machine in the world — one that is capable of delivering large amounts of data leading to transformational changes in the industry and our daily lives.

That realization is why I was so excited by the innovations on display at DistribuTECH, the largest annual electric power transmission and energy distribution conference and exhibition, where we showcased the solutions below. Read on to see how Internet of Things (IoT) enables a more intelligent, reliable, and safe and secure grid while also lowering costs for utilities, smart cities and other grid stakeholders. The future of energy does indeed look bright.

Increasing Worker Mobility and Collaboration

Connected wearable technologies are minimizing the non-value-added movement of people by providing relevant and actionable data to workers at the right time to avoid safety hazards and improve efficiency. Connected worker wearables like Recon Jet Pro capture and integrate real-time employee and environmental data that leads to actionable insights. This is ideal for real-time step-by-step maintenance and repairs to a more than 30-years-old deteriorating system.

Bringing Faster, Stronger Analytics to Utilities

As electric utility companies race against time to collect data from the grid, they need to understand which data is relevant, what to store, and what to ignore. SAS integrates streaming data with predictive analytics and visualization to help generate useful insights and improve decision-making.

Monitoring Across the Grid for Efficient Energy Distribution

With the increase in variable distributed energy resources (DERs) — people and renewable energy companies generating and feeding power back into the grid — it’s more challenging for substations to deliver predictable steady-state voltage and current. Utility companies rely on substation metering of secondary voltage and current transformer circuits to detect performance issues, which can be done with a SystemCORP and Intel-developed IEC 61850-compliant merging unit solution.

Improving Situational Awareness and Predictive Maintenance

IoT enables some of the most advanced technologies that provide situational awareness of grid performance. Spirae, a leading provider of DERMS and Microgrid control, offers innovative tools for integrating and actively managing DERs in terms of power, energy flow and ancillary services, maximizing their value to the grid and other parties. National Instruments delivers monitoring and predictive maintenance solutions for pumps and generation transformers that reduce risk and cost.

Accelerating Grid Solutions by Connecting Assets

IoT gateways are available to help accelerate the delivery of solutions in the energy industry, particularly with respect to smart grid distribution management systems. Examples include devices from AAEON, Advantech, Dell and NEXCOM. A smart and connected grid using IoT solutions could increase reliability and reduce power outages thanks to smart meters located at DERs and sensors embedded into transmission lines.

Pursuing New Lines of Business Through IoT Technology Partnerships

With the help of IoT technologies, utilities can more easily participate in new market segments. One example is the offering from Alarm.com that integrates all mission critical systems in the home into a single service. Another opportunity is to create smart building management solutions for small and mid-size buildings using the Intel Building Management Platform integrated with CANDI PowerTools.

This is a tremendously exciting time when we have an opportunity for transformational improvements to our current grid-control paradigm. In order to meet our planet’s growing energy needs, utilities require a fundamental change in how to control an ever more complex system. We look forward to continuing to work together to help the energy industry navigate the new technologies and diverse market sectors on the road ahead.

Firedot Highlight Reports

Getting threat intelligence into your existing security products – SIEMs, endpoints, network tools — can significantly enhance their effectiveness. Here at Anomali we understand the value of product integrations, so much so that my entire job is to manage the 30+ we currently offer. Recently we launched a feature that allows you to create your own threat […]

The intelligence in this week’s iteration discuss the following threats: Compromised server, Cryptocurrency miner, Data theft, Malspam, Phishing, Targeted attacks, Underground markets, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity. Trending Threats Olympic Destroyer Takes Aim At Winter […]

In our last post, we talked about how companies can use the concept of a No-Fly list to keep malicious actors out of their networks. So how does a cyber No-Fly list work in a real situation? We spoke with one of our customers, Alaska Airlines, about how they make the most of threat intelligence […]

My name is Teddy Powers. I have worked for Anomali (formerly ThreatStream) for almost the last three years and it’s been one of the best experiences of my life. But if you looked at my résumé or LinkedIn, much like anyone else, you’d do a double take. How in the world did he score a […]

North Korea, or more formally, the Democratic People’s Republic of North Korea (DPRK), is no stranger to international headlines. Most notably, it has captured attention in recent years for its nuclear testing and ballistic missile launches. Events in the cyber landscape have brought negative attention to North Korea as well. The United States officially blamed […]